Search message tracking logs

In Microsoft Exchange Server 2013, the message tracking log is a detailed record of all message activity as messages are transferred to and from the Transport service on Mailbox servers, mailboxes on Mailbox servers, and Edge Transport servers.

You can use the Get-MessageTrackingLog cmdlet in the Exchange Management Shell to search for entries in the message tracking log by using specific search criteria.

You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Message tracking" entry in the Mail flow permissions topic.

Searching the message tracking logs requires the Microsoft Exchange Transport Log Search service to be running. If you disable or stop this service, you can't search the message tracking logs or run delivery reports. However, stopping this service does not affect other features in Exchange.

The field names displayed by the results from the Get-MessageTrackingLog cmdlet are similar to the actual field names used in the message tracking logs. The biggest differences are:

The dashes are removed from the field names. For example internal-message-id is displayed as InternalMessageId.

The date-time field is displayed as Timestamp.

The recipient-address field is displayed as Recipients.

The sender-address field is displayed as Sender.

The date-time field in the message tracking log stores information in Coordinated Universal Time (UTC). However, you should enter your date-time search criteria for the Start or End parameters in the regional date-time format of the computer that you are using to perform the search.

You can't copy the message tracking log files from another Exchange server and then search them by using the Get-MessageTrackingLog cmdlet. Also, if you manually save an existing message tracking log file, the change in the file's date-time stamp breaks the query logic that Exchange uses to search the message tracking logs.

The Exchange 2013 Get-MessageTrackingLog cmdlet is able to search the message tracking logs on Exchange 2007 and Exchange 2010 servers in the same Active Directory site.

Typically, the value in the MessageID: header field remains constant as the message travels throughout the Exchange organization. This property is named InternetMessageId in queue viewing utilities, and MessageId in the message tracking log viewing utilities. After you have determined the MessageID: value of a specific message, you can search for information about that message in the message tracking logs on every Mailbox server in your Exchange organization.

To search all message tracking log entries for a specific message across all Mailbox servers, use the following syntax.

This example searches the message tracking logs on all Exchange 2013 Mailbox servers using the following search criteria:

Find any entries related to a message that has a MessageID: value of <ba18339e-8151-4ff3-aeea-87ccf5fc9796@mailbox01.contoso.com>. Note that you can omit the angle bracket characters (< >). If you don't, you need to enclose the entire MessageID: value in quotation marks.

For each entry, display the fields date-time, server-hostname, client-hostname, source, event-id, and recipient-address.

You can use the Delivery Reports for administrators feature in the Exchange admin center (EAC) to search the message tracking logs for information about messages sent by or received by a specific mailbox in your organization. For more information see Track messages with delivery reports.